Should I put user's nickname and avatar into user's access token like jwt? what's the best practice?
sub Subject - This holds the identifier for the token (defaults to
user id)
iat Issued At - When the token was issued (unix timestamp)
exp Expiry - The token expiry date (unix timestamp)
nbf Not Before - The earliest point in time that the token can be
used (unix timestamp)
iss Issuer - The issuer of the token (defaults to the request url)
jti JWT Id - A unique identifier for the token (md5 of the sub and
iat claims)
Just put the user's uniquely identifies into the subject claim.
Related
I'm trying to login with Linkedin and Firebase. I generate on my server the custom token, I have my private key, I use RS256 and this is my payload:
"iss" : service_account_email
"sub" : service_account_email
"aud", "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit"
"iat", Date().timeIntervalSince1970
"exp", Date().timeIntervalSince1970.advanced(by: 3600)
"uid", String.randomString(length:28)
I create the token, send it back to the app and from this I do:
Auth.auth().signIn(withCustomToken: token!, completion: { (user, error) in
I receive no error and a user back, so the token is valid. The problem is that the user has no values (no email, no displayName etc). the only thing is the uid which is the one that I set with: String.randomString(length:28)
How can I retrieve the user email and other info? In my linkedin account I have a displayname, email, picture etc. But here nothing.
Thanks
You have to set that manually. Firebase Auth has APIs to update profile (photo URL and display name) as well as email. You can send this LinkedIn data along with the custom token to your app, sign in with custom token and then update profile and email on that signed in custom token user.
By the way, set the LinkedIn ID as the UID for that user. Do not use a random string. Otherwise the next time you sign in with LinkedIn, the same user will map to another one.
I'm currently working on ApplePay and we are decrypting the token on our own server.
The decryption of token is done but there is a few things I don't quite understand. From the Getting-Started-with-Apple-Pay we know that:
"The payment token encapsulates the
information needed to complete a payment
transaction, including the device-specific
account number, the amount, and a unique,
one-time-use cryptogram."
But from the Payment Token Format Reference, there are 8 things contained in a token:
applicationPrimaryAccountNumber
applicationExpirationDate
currencyCode
transactionAmount
cardholderName
deviceManufacturerIdentifier
paymentDataType
paymentData
We get the accountNumber and the amount, but which one of those is the cryptogram?
Is it the last one, paymentData, since the other 7 really don't look like cryptogram? If not, how could we get this cryptogram?
I'd also like to ask what should we do after we get the cryptogram? Should we send the cryptogram and accountNumber to the acquirer?
Thank you!
If you look at the Payment Token Format
You will see that the token contains a paymentDataType string and a paymentData dictionary.
If the paymentDataType is "3DSecure" then the paymentData dictionary will contain a key onlinePaymentCryptogram which is the cryptogram string.
This must be submitted to your payment gateway if you are submitting a 3-D Secure transaction.
I got below error while using service account from my local machine
Error:
invalid_grant”, Description:””, Uri:””.
see code below -
string[] scopes = new string[] {
AnalyticsService.Scope.Analytics
}; // view and manage your Google Analytics data
var keyFilePath = #
"c:\xxxxxxx.p12"; // Downloaded from https://console.developers.google.com
var serviceAccountEmail = "xxxxx#developer.gserviceaccount.com"; // found https://console.developers.google.com
//loading the Key file
var certificate = new X509Certificate2(keyFilePath, "notasecret", X509KeyStorageFlags.Exportable);
var credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountEmail) {
Scopes = scopes
}.FromCertificate(certificate));
var service = new AnalyticsService(new BaseClientService.Initializer() {
HttpClientInitializer = credential,
ApplicationName = "Analytics API Sample",
});
string profileId = "xxxxxx";
DataResource.RealtimeResource.GetRequest request = service.Data.Realtime.Get(String.Format("ga:{0}", profileId), "rt:activeUsers");
RealtimeData feed = request.Execute();
invalid_grant has two common causes.
Your server’s clock is not in sync with NTP. (Solution: check the server time if its incorrect fix it. )
The refresh token limit has been exceeded. (Solution: Nothing you can do they cant have more refresh tokens in use)
Applications can request multiple refresh tokens. For example, this is useful in situations where a user wants to install an application on multiple machines. In this case, two refresh tokens are required, one for each installation. When the number of refresh tokens exceeds the limit, older tokens become invalid. If the application attempts to use an invalidated refresh token, an invalid_grant error response is returned. The limit for each unique pair of OAuth 2.0 client and is 25 refresh tokens (note that this limit is subject to change). If the application continues to request refresh tokens for the same Client/Account pair, once the 26th token is issued, the 1st refresh token that was previously issued will become invalid. The 27th requested refresh token would invalidate the 2nd previously issued token and so on.
I have also read of a third which is if you don't include access_type=offline in your request. I have never had an issue with this one myself
To start I am using the Google OAuth 2.0 code from this site https://github.com/google/google-api-php-client
I need to find out where in this oauth directory the token expires and logs you out. I am having issues with the refresh token and usually the token expires in 1 hour and throws me an error, but I cant keep waiting for 1 hour each time I make a change to see if the code works or not. I have changed some time settings in the code to like 10 or 60 seconds but they don't do anything. Please let me know which file and where I can change the time the token expires and logs out the logged in user.
Thanks,
I have added the following code because the problem is in here, something with this get function is not renewing/using the refresh token. How can I write this code better.
$service = new Google_Service_Oauth2 ($client);
if ($client->getAccessToken()) {
//For logged in user, get details from google using access token
$user = $service->userinfo->get();
$user_id = filter_var($user['id'],FILTER_SANITIZE_SPECIAL_CHARS);
$user_name = filter_var($user['name'], FILTER_SANITIZE_SPECIAL_CHARS);
$first_name = filter_var($user['given_name'], FILTER_SANITIZE_SPECIAL_CHARS);
$last_name = filter_var($user['family_name'], FILTER_SANITIZE_SPECIAL_CHARS);
$email = filter_var($user['email'], FILTER_SANITIZE_EMAIL);
// $profile_url = filter_var($user['link'], FILTER_VALIDATE_URL);
$profile_image_url = filter_var($user['picture'], FILTER_VALIDATE_URL);
$gender = filter_var($user['gender'], FILTER_SANITIZE_SPECIAL_CHARS);
// $personMarkup = "$email<div><img src='$profile_image_url?sz=50'</div>";
$_SESSION['upload_token'] = $client->getAccessToken();
}
There is no way to change Google's access token expiry time. However, the Google_Client::isAccessTokenExpired() method will return true if the token has expired or expires in 30 seconds from now. Your code should not need to deal with renewing a token only after it fails but can check if the access token is expired before it is going to call any method with that particular access token.
There's still an edge case that remains: you can simulate that by manually revoking the access token (out-of-band of your app) using:
curl https://accounts.google.com/o/oauth2/revoke?token=<access_token>
and then run/test your code that still holds on to the now revoked access token. The error code on access is the same for revoked or expired ("invalid_token"), and the handling is the same anyhow.
I am new to OAuth, and want to get the user ID (an email address) from Google using OAuth.
But I don't want to get the user's Google Contacts Information.
We can get google Email address only not the contacts by making the scope of request token Like :
"https://www.google.com/accounts/OAuthGetRequestToken?scope=https://www.googleapis.com/auth/userinfo#email";
Now do a authorized call to get the response like :
var responseText = oAuthConsumer.GetUserInfo("https://www.googleapis.com/userinfo/email", consumerKey, consumerSecret, token, tokenSecret);
Here by saying authorized call mean to make the HTTP Get request with required paramaters in header.
header string should contain: realm, consumerKey, signatureMethod, signature, timestamp, nounce, OAuthVersion, token
Please refer to http://googlecodesamples.com/oauth_playground to verify your code and to see the correct header string parameters